", vbulletin,jelsoft,forum,bbs,discussion,bulletin board" /> " Fedora Development" /> Rawhide: selinux: "Unable to get valid context for <username>" - Linux Archive
FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 06-19-2011, 02:44 PM
"Richard W.M. Jones"
 
Default Rawhide: selinux: "Unable to get valid context for "

Anyone seeing this error? Unless I boot with enforcing=0, I see
this error when I try to log in as any user:

Unable to get valid context for <username>

It seems like it's just started happening, since I upgraded something
within the last 1-2 weeks.

Is there any way to debug this error further?

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-19-2011, 04:42 PM
Jim Meyering
 
Default Rawhide: selinux: "Unable to get valid context for "

Richard W.M. Jones wrote:
> Anyone seeing this error? Unless I boot with enforcing=0, I see
> this error when I try to log in as any user:
>
> Unable to get valid context for <username>
>
> It seems like it's just started happening, since I upgraded something
> within the last 1-2 weeks.

Hi Rich,

I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-)
and don't see any problem when logging in via ssh:

h$ ssh r date
Sun Jun 19 18:34:32 CEST 2011
h$ ssh r
Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1
r$ :

Everything is up to date, at least wrt whatever mirror I'm using.
My shell on that system is zsh; but I got the same result when
temporarily switching it to bash.

> Is there any way to debug this error further?

If you're seeing it on a console, strace agetty or whatever
you're using as the server. If via ssh, strace sshd.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-19-2011, 04:59 PM
"Richard W.M. Jones"
 
Default Rawhide: selinux: "Unable to get valid context for "

On Sun, Jun 19, 2011 at 06:42:34PM +0200, Jim Meyering wrote:
> Richard W.M. Jones wrote:
> > Anyone seeing this error? Unless I boot with enforcing=0, I see
> > this error when I try to log in as any user:
> >
> > Unable to get valid context for <username>
> >
> > It seems like it's just started happening, since I upgraded something
> > within the last 1-2 weeks.
>
> Hi Rich,
>
> I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-)
> and don't see any problem when logging in via ssh:
>
> h$ ssh r date
> Sun Jun 19 18:34:32 CEST 2011
> h$ ssh r
> Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1
> r$ :
>
> Everything is up to date, at least wrt whatever mirror I'm using.
> My shell on that system is zsh; but I got the same result when
> temporarily switching it to bash.

I was still seeing it, even after just updating everything and
rebooting the VM:

$ ssh 192.168.122.151
Unable to get valid context for rjones
Last login: Sun Jun 19 17:46:29 2011 from 192.168.122.1
Connection to 192.168.122.151 closed.

However I then touched /.autorelabel using guestfish:

# guestfish -i --rw -d FedoraRawhidex64 touch /.autorelabel

(it turns out I've written about this before, but had forgotten, see
https://rwmj.wordpress.com/2010/01/06/tip-autorelabel-a-vm/).

And that fixed it! However I don't know why ...

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 06-20-2011, 11:05 AM
Daniel J Walsh
 
Default Rawhide: selinux: "Unable to get valid context for "

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/19/2011 12:59 PM, Richard W.M. Jones wrote:
> On Sun, Jun 19, 2011 at 06:42:34PM +0200, Jim Meyering wrote:
>> Richard W.M. Jones wrote:
>>> Anyone seeing this error? Unless I boot with enforcing=0, I see
>>> this error when I try to log in as any user:
>>>
>>> Unable to get valid context for <username>
>>>
>>> It seems like it's just started happening, since I upgraded something
>>> within the last 1-2 weeks.
>>
>> Hi Rich,
>>
>> I'm using 3.0-0.rc3.git5.1.fc16.x86_64 in enforcing mode (of course ;-)
>> and don't see any problem when logging in via ssh:
>>
>> h$ ssh r date
>> Sun Jun 19 18:34:32 CEST 2011
>> h$ ssh r
>> Last login: Sun Jun 19 18:33:11 2011 from 192.168.122.1
>> r$ :
>>
>> Everything is up to date, at least wrt whatever mirror I'm using.
>> My shell on that system is zsh; but I got the same result when
>> temporarily switching it to bash.
>
> I was still seeing it, even after just updating everything and
> rebooting the VM:
>
> $ ssh 192.168.122.151
> Unable to get valid context for rjones
> Last login: Sun Jun 19 17:46:29 2011 from 192.168.122.1
> Connection to 192.168.122.151 closed.
>
> However I then touched /.autorelabel using guestfish:
>
> # guestfish -i --rw -d FedoraRawhidex64 touch /.autorelabel
>
> (it turns out I've written about this before, but had forgotten, see
> https://rwmj.wordpress.com/2010/01/06/tip-autorelabel-a-vm/).
>
> And that fixed it! However I don't know why ...
>
> Rich.
>


If a login program says "Unable to get valid context for <username>" it
almost certainly means the login program is running with the wrong
context. The login program asks SELinux what is the context to assign
to <username> when it logs in.

This means sshd should ask what context should sshd_t login dwalsh. But
if sshd is running with the wrong context (almost assuredly caused by a
labeling problem.) the kernel/libselinux will return an error, and the
login program will ask the user.

For example sshd running as initrc_t or kernel_t would get an error.
Usually a relabel will clean up the error. If you see this and can get
a login shell run "ps -eZ | grep sshd" to see what context the login
program is running as.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/KW0ACgkQrlYvE4MpobNk6ACdH8T3T7EV7vOx9hsyG//WdtWl
BCUAnRkXrX9ozj8Y8TOeLGuG8+kPohpF
=zEu8
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 12:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org